Instagram users have reported a surge in unexpected password reset emails, arriving just as news(ventana nueva) circulated that a database containing more than 17 million Instagram accounts had been leaked on the dark web. Together, the two events have raised concerns about a possible data breach and left many users worried about the security of their accounts.

Here’s what happened and what you can do to keep your Instagram account safe.

What led to the Instagram password reset emails?

In January 2026, Instagram users began receiving(ventana nueva) multiple password reset notifications from security@mail.instagram.com. The users had not, however, requested to reset their passwords. For some, the emails arrived repeatedly over short periods of time, triggering fears that their accounts were actively under attack.

Meta, Instagram’s parent company, confirmed(ventana nueva) that a bug had allowed an external party to request password reset emails for other users. It said that it fixed the issue, emphasizing that there was no breach of Instagram’s systems and that accounts remain secure. The company didn’t provide technical details on how the bug occurred and instead downplayed the severity of the issue. Meta urged users to just ignore the emails.

At this time, there’s no confirmed evidence of a new Instagram data breach. The dataset that was freely posted on a dark-web forum in January 2026 appears to consist of previously scraped Instagram data. Some sources have speculated that it may be connected to a historical Instagram API scraping incident in 2024(ventana nueva) or 2022(ventana nueva), though Meta has denied knowledge of any such incidents. The information includes usernames, email addresses, phone numbers, countries, and other sensitive information, but not passwords.

If there’s no Instagram data leak, why care about password reset emails?

The emails themselves may be legitimate and generated by Instagram’s automated systems. A wave of repeated reset emails, however, can be part of a broader phishing strategy that relies on something called “alert fatigue.”

Security-aware people tend to inspect suspicious emails carefully, avoid clicking unknown links, and respond quickly to real security alerts. But if attackers repeatedly trigger legitimate password reset emails, they can slowly wear people down. Eventually, when a genuine security alert appears, it’s easy to assume it’s just another false alarm and ignore it, giving attackers extra time to move in, a bit like “the boy who cried wolf.”

How to change your Instagram password safely

If you want to change your password, do so only through Instagram directly:

  1. In your Instagram app, open Accounts Center.
How to open the Instagram Accounts Center using the Instagram app
  1. Go to Password and security.
How to access the Password and Security section in the Instagram Accounts Center
  1. Select Change password and choose an account.
How to change your Instagram password
  1. Enter the current and new password.
  2. If you suspect that someone else has used your account, select Log out of other devices.
  3. Click or tap Change password to confirm.
How to change your Instagram password

How to reset your Instagram password

If you forgot your Instagram password and can’t log in anymore, here’s what you should do:

  1. Open the Instagram app.
  2. Select Forgot password?
Select Forgot password? in your Instagram app
  1. Enter the username, email, or phone associated with your Instagram account, then select Continue.
Enter your phone number, email address, or username to start Instagram account recovery
  1. A link will be sent to your email. Open the email and click Reset your password.
Select "Reset your password" in the Instagram password reset email
  1. Enter a new password, confirm it, and select Reset Password.
Enter and confirm your new Instagram password to finalize password reset

How to keep your Instagram account safe

Even though the recent wave of Instagram password reset emails involved legitimate messages, attackers could use moments like this to launch follow-up scams. Here’s how to protect yourself:

Use a unique, strong password

Your Instagram password should be long, complex, used only on this platform. If you reuse the password across multiple websites, a breach elsewhere could put your Instagram account at risk through credential stuffing attacks, where cybercriminals take email-and-password combinations from one breach and automatically test them on other platforms, including social media.

A password manager helps you generate and store unique passwords without needing to remember them all.

Enable two-factor authentication

2FA adds an extra layer of security when you log in, such as a one-time code generated by an authentication app. Even if an attacker manages to guess your password or obtain it from another breach, they still won’t be able to access your account without this second factor.

Here’s how to enable 2FA on Instagram and save it to Proton Pass:

  1. In your Instagram app, open Accounts Center.
  2. Go to Password and security.
How to access the Password and Security section in the Instagram Accounts Center
  1. Select Two-factor authentication and choose an account.
How to enable two-factor authentication (2FA) in Instagram
  1. Choose Authentication app and click or tap Next.
How to use an authentication app when enabling 2FA in Instagram
  1. Select Copy key and then Next.
Copy you Instagram authentication key
  1. Open the Proton Pass app and find your Instagram entry. If you haven’t saved it yet, add your Instagram login first.
  2. Tap Edit, add the Instagram key to 2FA secret key (TOTP), and save changes.
How to add a 2FA TOTP code for Instagram to Proton Pass
  1. Tap 2FA token (TOTP) to copy the key.
Copy the 2FA token key to paste it to your Instagram account
  1. Return to the Instagram app, paste the key, and tap Next to finalize setup.
Paste the 2FA token key in Instagram to finalize 2FA setup

When you log in to your Instagram account, you’ll be prompted to enter the 2FA code stored in your Proton Pass account after submitting your Instagram password.

Just as importantly, Instagram will alert you when a login attempt requires verification. If you receive such a prompt without trying to sign in yourself, it’s a clear sign someone else is attempting to access your account, and you can change your password.

Proton Pass automatically identifies weak or reused passwords, and inactive 2FA. You can also use Dark Web Monitoring to get alerted if your email and password were part of a data breach.

Watch out for unexpected emails and texts

Attackers often exploit confusion by sending follow-up messages that look similar but are fake, pushing you to act fast. Be especially cautious of direct messages claiming to be from Meta support, and texts or emails demanding immediate action or verification codes. 

Stay safe with Proton Pass

Proton Pass is a free password manager that protects your data with end-to-end encryption, which means no one but you can access your data. Not even us. It helps you stay ahead of evolving threats by securing your credentials, including 2FA codes. Plus, Pass can detect weak or reused passwords or inactive 2FA, and alert you if your information appears in a breach, so you can act before attackers do.

Create a free account